Letsencrypt vs 3rd level domains

Name Version
Operating system Ubuntu Linux 24.04
Webmin version 2.111
Usermin version 2.010
Virtualmin version 7.20.2
Authentic theme version 21.10

I am handling 3rd level domain (whatever.example.com)
by this redirect (since that is the way … which I was on for 14 years):

RewriteEngine on

# non www  xxx.com to www.xxx.com
# http://stackoverflow.com/questions/4916222/htaccess-how-to-force-www-in-a-generic-way

# example.cz to www.example.cz
RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
RewriteCond %{HTTP_HOST} !^(.*)\.(.*)\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ HTTP%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTP_HOST} ^([^\.]+)\.(.*)
RewriteCond %{DOCUMENT_ROOT}/%1 -d
RewriteRule ^(.*) /%1/$1 [L]

So I have at:
/home/example.com/htdocs/whatever
domain:
whatever.example.com

and
/home/example.com/htdocs/www
domain:
www.example.com


Now, I want a SSL cert generated by lets encrypt, but that would fail due to 404 on well-known file.

I tried to bypass this redir for that dir, like:

Exclude Let's Encrypt verification directory from the rewrite rules
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/

But that did not work.
Can you help me to point where is .well-known temporely created?
I can point my redir to that locarion

I was thinking about to comment “unlink” command at
/usr/share/webmin/virtual-server
feature-ssl.pl, generate-letsencrypt-cert.pl, letsencrypt.cgi, virtual-server-lib-funcs.pl
… but its too deep to edit. Especially with 5 tries / hour (fom LE).

Please note that I have there like 400GB, 10+ domains, 1M+ files and its kinda impossible to change the order of subdomains on the fly (even when I would really like to know where to simply add DYNAMIC 3rd level domain generation … since some domain have like 200+ subdomains).

But to get the trick to lets ecrypt would be fine for now.
Please know that with this redir disabled ( some domain dont require subdomains ) it works like a charm.

Log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for xxx and 6 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: xxx.xxx.com
  Type:   unauthorized
  Detail: 123.123.123.123: Invalid response from http://xxx.xxx.com/.well-known/acme-challenge/NqxxxxxxxxxxxxxxxxM: 404 (or 401 ar some cases)
...

I think the /.well-known path is excluded by the OS

See

Virtualmin --> Configure SSL Website --> Aliases and Redirects

You might also need to add an alias to the domains so Virtualmin’s Lets encrypt procedure will generate a certificate, or you could use a wild card cert.

Enable Wildcard for a domain

  • Virtualmin → Web Configuration → Website Options → Website matches all sub-domains
    • Tooltip: If the virtual server’s DNS domain is hosted on this system, Virtualmin will also add the wildcard * DNS record when Yes is selected.

Throughout the forum, this configuration is not recommended.

look at the directory structure

This is not a default virtualmin setup, as you are aware virtualmin creates public_html rather than htdocs, and of course if you create a subdomain, virtualmin will place it at

/home/<user>/domains/<sub domain name>/public_html

using this approach there is no need for a wild card certificate as you will just request a certificate for the TLD and each of the sub domains in their own right.
@xsoft did you import this data from another system ?

There is nothing on that page.
( just that ^/awstats$ → /awstats/ )

I am unable to do that because my server is not handling the DNS (the other NS server do).
I know about this option and it would be great. Sadly I can not use this method.

Ok. How? (note that I mention that I have 200+ subdomain there, dynamicly created. And DNS I can not use here).

Well, it was default virtualmin setup 14 years ago. (Im personally using /srv/www or /srv/php elsewhere). Not that I would like to change or fix that since it is not broken.


… ok, any tips to my situation?
Any “smart” redir that would fix SSL LE generation.
Or maybe different way to enable those dynamic 3rd level domains (that SSL would be happy with)?

just for reference this is mine

Virtualmin → Configure SSL Website → Aliases and Redirects

14 years is a VERY long time - a lot has changed in that time so you cannot expect things to have stood still. most changes are not sudden and are progressive.

The “./well-known” map is not there.

I know. If there would be something like … regenerate config … that would do. (like to delete apache2 config and create a fresh clean one from the template).

I know. If there would be something like … regenerate config … that would do. (

Maybe this:

Virtualmin --> Limits and Validation --> Validate Virtual Servers --> Reset Features

Please test how this works on a dev site as I have never used this, but it might do what you want.

Not my experience from then but it may depend on the OS I guess as you are using ubuntu 24.04 I would have thought this to be a new install with data restored from a backup is that correct ?

Yes. Ubuntu 24.04 Server LTS, apache2.
14 years ago that was Centos 6 with httpd.

And I restore full .gz backup on the new server. Correct.

So was this a Virtualmin backup restored or did you just restore a backup from some other source? If you backup was made from a plesk or cpanel backup you should migrate rather than restore so it is converted to the format Virtualmin understands, that said I never used centos so maybe even if you restore a virtualmin backup you may end up with data that a modern version of virtualmin can not understand

It was from Virtualmin to Virtualmin.
(with all xx.tar.gz, xx.tar.gz.dom, xx.tar.gz.info)
I guess that all “packs” were recognized by Virtualmin … dir, http dir, httpd config, sql, …)